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Abstract 

We give a new construction of algebraic codes which arc efficiently list dccodablc from a 
fraction 1 — R — e of adversarial errors where R is the rate of the code, for any desired positive 
constant e. The worst-case list size output by the algorithm is 0(1/ e), matching the existential 
bound for random codes up to constant factors. Further, the alphabet size of the codes is 
a constant depending only on e — it can be made exp(0(l/e 2 )) which is not much worse 
than the lower bound of exp(0(l/e)). The parameters we achieve are thus quite close to the 
existential bounds in all three aspects — error-correction radius, alphabet size, and list-size 
- simultaneously. Our code construction is Monte Carlo and has the claimed list decoding 
property with high probability. Once the code is (efficiently) sampled, the encoding/decoding 
algorithms are deterministic with a running time O e (N c ) for an absolute constant c, where N 
is the code's block length. 

Our construction is based on a linear-algebraic approach to list decoding folded codes from 
towers of function fields, and combining it with a special form of subspacc-cvasive sets. Instan- 
tiating this with the explicit "asymptotically good" Garcia-Stichtcnoth tower of function fields 
yields the above parameters. To illustrate the method in a simpler setting, we also present a 
construction based on Hcrmitian function fields, which offers similar guarantees with a list and 
alphabet size polylogarithmic in the block length N. Along the way, we shed light on how to 
use automorphisms of certain function fields to enable list decoding of the folded version of the 
associated algebraic-geometric codes. 
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1 Introduction 



An error-correcting code C of block length N over a finite alphabet £ maps a set Ai of messages 
into codewords in H N . The rate of the code C, denoted R, equals ^logi s i \M\. In this work, 
we will be interested in codes for adversarial noise, where the channel can arbitrarily corrupt any 
subset of up to tN symbols of the codeword. The goal will be to correct such errors and recover 
the original message/codeword efficiently It is easy to see that information-theoretically, we need 
to receive at least RN symbols correctly in order to recover the message (since \M\ = \Y\ RN ), so 
we must have r ^ 1 — R. 

Perhaps surprisingly, in a model called list decoding, recovery up to this information-theoretic 
limit becomes possible. Let us say that a code C C T, N is (r, ^)-list decodable if for every received 
word y € £ , there are at most I codewords c 6 C such that y and c differ in at most tN 
positions. Such a code allows, in principle, the correction of a fraction r of errors, outputting at 
most t candidate codewords one of which is the originally transmitted codeword. 

The probabilistic method shows that a random code of rate R over an alphabet of size exp(0(l/e)) 
is with high probability (1 — R — e, 0(l/e))-list decodable |Eli91| . However, it is not known how 
to construct or even randomly sample such a code for which the associated algorithmic task of list 
decoding (i.e., given y € Y* N , find the list of codewords within fractional radius 1 — R — e) can be 
performed efficiently. This work takes a big step in that direction, giving a randomized construc- 
tion of such efficiently list-decodable codes over a slightly worse alphabet size of exp(0(l/e 2 )). We 
note that the alphabet size needs to be at least exp(0(l/e)) in order to list decode from a fraction 
1 — R — e of errors, so this is close to optimal. For the list-size needed as a function of e for decoding 
a 1 — R — e fraction of errors, the best lower bound is only f2(log(l/e)) |GN12] . but as mentioned 
above, even random coding arguments only achieve a list-size of 0(1/ e), which our construction 
matches up to constant factors. 

We now review some of the key results on algebraic list decoding leading up to this work. A 
more technical comparison with related work appears in Section 11.11 The first construction of 
codes that achieved the optimal trade-off between rate and list-decoding radius, i.e., enabled list 
decoding up to a fraction 1 — R — e of worst-case errors with rate R, was due to Guruswami and 
Rudra [GR08| . They showed that a variant of Reed-Solomon (RS) codes called folded RS codes 
admit such a list decoder. For a decoding radius of 1 — R — e, the code was based on bundling 
together disjoint windows of m = 0(l/e 2 ) consecutive symbols of the RS codeword into a single 
symbol over a larger alphabet. As a result, the alphabet size of the construction was N^ 1 ^ K 
Ideas based on code concatenation and expander codes can be used to bring down the alphabet size 
to exp(0(l/e 4 )), but this compromises some nice features such as list recovery and soft decoding 
of the folded RS code. Also, the decoding time complexity as well as proven bound on worst-case 
output list size for these constructions were jV^ 1 /^ which is rather large. 

Our main final result statement is the following. The codes we construct are a randomly sampled 
subcode of an analog of folded Reed-Solomon codes for an asymptotically optimal tower of function 
fields due to Garcia and Stichtenoth [GS95| IGS96] , 

Theorem 1.1 (Main). For any R £ (0, 1) and positive constant e E (0, 1), there is a Monte Carlo 
construction of a family of codes of rate at least R over an alphabet size exp(0(log(l/e)/e 2 )) that 
are encodable and (1 — R — £,0(1/ (Re)) -list decodable in £ (N C ) time, where N is the block length 
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of the code and c is an absolute positive constant. 

Even though our codes are not fully explicit, they are "functionally explicit" in the sense that 
once the code is (efficiently) sampled, with high probability the polynomial time encoding and 
decoding algorithms deliver the claimed error-correction guarantees for all allowed error patterns. 
We note that our codes are quite close to the existential bounds in three aspects simultaneously — 
the trade-off between error fraction 1 — R — £ and rate R, the list-size as a function of e, and the 
alphabet size of the code family (again as a function of e). Our algorithms can also be extended to 
the "list recovery" setting in a manner similar to |GR08[ iGurllj : we omit discussion of this aspect 
and the straightforward details. 

To first illustrate our ideas in an algebraically simpler (and perhaps more practical) setting, we 
first give a construction based on a tower of Hermitian field extensions |She93 . This gives a similar 
result, albeit with alphabet size and list-size upper bound polylogarithmic in N. 

1.1 Prior and related work 

Let us recap a bit more formally the construction of folded RS codes from |GR08| . One begins with 
the Reed-Solomon encoding of a polynomial / € of degree < k consisting of the evaluation 

of / on a subset of field elements ordered as 1,7,... , 7 n_1 for some primitive element 7 6 ¥ q 
and n < q. For an integer "folding" parameter m ^ 1 that divides n, the folded RS codeword is 
defined over alphabet F™ and consists of n/m blocks, with the j'th block consisting of the m-tuple 
(/(7 (i ~ 1)m ), /(7 (i ~ 1)m+1 ), ■ ■ ■ , 7(7 j m ' 1 ))- T he alg orithm in |GR08j for list decoding these code_s 
was based on the algebraic identity f{^X) = f{X) q in the residue field ¥ q [X]/(X q ~ 1 — 7) where / 
denotes the residue / mod (X 9-1 — 7). This identity is used to solve for / from an equation of the 
form Q(X, f(X), /(7X), . . . , f( r y s ~ 1 X)) = for some low-degree nonzero multivariate polynomial 
Q. The high degree q > n of this identity, coupled with s ~ 1/e, led to the large bounds on list-size 
and decoding complexity in |GR08j . 

One possible approach to reduce q (as a function of the code length) in this construction would be 
to work with algebraic-geometric codes based on function fields K over ¥ q with more rational points. 
However, an automorphism a of K that can play the role of the automorphism f(X) 1— > /(7X) of 
¥ q (X) is only known (or even possible) for very special function fields. This approach was used 
in |GurlO| to construct list-decodable codes based on cyclotomic function fields using as a certain 
Frobenius automorphisms. These codes improved the alphabet size to polylogarithmic in N, but 
the bound on list-size and decoding complexity remained N™ 1 ' £ > . 

Recently, a linear-algebraic approach to list decoding folded RS codes was discovered in |VadlO[ 
IGurllj . Here, in the interpolation stage, which is common to all list decoding algorithms for alge- 
braic codes |Sud97[ IGS99} IPV05t IGR08] , following the idea in [VadlOj one finds a linear multivariate 
polynomial Q(X,Y\, . . . ,Y S ) whose total degree in the Y^s is 1. The simple but key observation 
driving [Gurll] is that the equation Q(X, f(X), . . . , /( 7 S ~ 1 X)) = now becomes a linear system in 
the coefficients of /. Further, it is shown that the solution space has dimension less than s, which 
again gives a list-size upper bound of Finally, since the list of candidate messages fall in an 

affine space, it was noted in [Gurll] that one can bring down the list size by carefully "pre-coding" 
the message polynomials so that their k coefficients belong to a "subspace-evasive set" (which has 
small intersection with every s-dimensional subspace of ¥ q ). This idea was used in [Gurll] to give 
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a randomized construction of (1 — R — e, 0(l/e 2 ))-list decodable codes of rate R (in fact, the list 
size bound is worse — it is £l(N) — if one requires efficient encoding of the code). However, the 
alphabet size and runtime of the decoding algorithm both remained N^ 1 '^. In [GWllj . similar 
results were also shown for derivative codes, where the encoding of a polynomial / consists of the 
evaluations of / and its first m — 1 derivates at distinct field elements. 

In a concurrent independent work, Dvir and Lovett gave an elegant construction of explicit 
subspace evasive sets based on certain algebraic varieties [DLllj . This yields an explicit version of 
the codes from [Gurllj . albeit with a worse list size bound of (l/e)°^/ £ \ This work and [DLllj 
are incomparable in terms of results. The big advantage of [DLllj is the deterministic construction 
of the code. The benefits in our work are (i) our list-size of 0(l/e) is much better and in fact 
optimal up to constant factors and (ii) we are able to construct codes over an alphabet size that 
is a constant independent of N, whereas in [DL11] the N n ^^ £ ) alphabet size of folded RS codes 
is inherited. Both our work and [DLllj achieve a decoding complexity of O e {N c ) with exponent 
independent of e. 

We should note that since we require sets that are evasive with respect to subspaces of large 
dimension, and which have further structural properties needed in the decoding, we cannot use the 
construction in [DLllj to make the codes in this work explicit. 

1.2 Our techniques 

We describe some of the main new ingredients that go into our work. We need both new algebraic 
insights and constructions, as well as ideas in pseudorandomness relating to subspace-evasive sets 
with additional structure. We describe these in turn below. 

Algebraic ideas. As mentioned above, effecting the original "non-linear" approach in |GR08j 
IGurlOj with automorphisms of more general function fields seems intricate at best. The correct 
generalization of the linear-algebraic list decoding approach to the function field case is also not 
obvious. One of the main algebraic insights in this work is noting that the right way to generalize 
the linear-algebraic approach to codes based on algebraic function fields is to rely on the local power 
series expansion of functions from the message space at a suitable rational point. (The case for 
Reed-Solomon codes being the expansion around 0, which is a finite polynomial form.) 

Working with a suitable automorphism which has a "diagonal" action on the local expansion 
lets us extend the linear-algebraic decoding method to AG codes. Implementing this for specific AG 
codes requires an explicit specification of a basis for an associated message (Riemann-Roch) space, 
and the efficient computation of the local expansion of the basis elements at a special rational point 
on the curve. We show how to do this for two towers of function fields: the Hermitian tower |She93j 
and the asymptotically optimal Garcia-Stichtenoth tower |GS95j IGS96j . The former tower is quite 
simple to handle — it has an easily written down explicit basis, and we show how to compute the 
local expansion of functions around the point with all zero coordinates. However, the Hermitian 
tower does not have bounded ratio of the genus to number of rational points, and so does not 
give constant alphabet codes (we can get codes over an alphabet size that is polylogarithmic in 
the block length though). Explicit basis for Riemann-Roch spaces of the Garcia-Stichtenoth tower 

x As mentioned above, the bound in |DL11] is (l/e) ' 1 ^- 1 and it seems very difficult to get a sub-exponential 
dependence on 1/e with the algebraic approach relying on Bezout's theorem to construct subspace-evasive sets. 
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were constructed in [SAK + 0l] . Regarding local expansions, one major difference is that we work 
with local expansion of functions at the point at infinity, which is fully "ramified" in the tower. For 
both these towers, we find and work with a nice automorphism that acts diagonally on the local 
expansion, and use it for folding the codes and decoding them by solving a linear system. 

Pseudorandomness. These algebraic ideas enable us to pin down the messages into a subspace 
of dimension linear in the message length. To prune this list, we need several additional ideas. 
The starting point is to follow [Gurllj and only encode messages in a subspace-evasive set which 
has small intersection with low-dimensional subspaces. Implementing this in our case, however, 
leads to several problems. First, since the subspace we like to avoid intersecting much has large 
dimension, the list size bound will be linear in the code length and not a constant like in our 
final result. More severely, we cannot go over the elements of this subspace to prune the list 
as that would take exponential time. To solve the latter problem, we observe that the subspace 
has a special "periodic" structure, and exploit this to show the existence of large "hierarchically 
subspace evasive" (h.s.e) subsets which have small intersection with the projection of the subspace 
on certain prefixes. Isolating the periodic property of the subspaces, and formulating the right 
notion of evasiveness w.r.t to such subspaces, is an important aspect of this work. 

We also give a pseudorandom construction of good h.s.e sets using limited wise independent 
sample spaces, in a manner enabling the efficient iterative computation of the final list of intersecting 
elements. With some additional ideas, we ensure that one can efficiently index into a large subset 
of our h.s.e set construction (this is needed to get an efficient encoding algorithm for our code). 
As a further ingredient, we note that the number of possible subspaces that arise in the decoding 
is much smaller than the total number of possibilities. Using this together with a trick to take 
the intersection of two subspace evasive set constructions, we are able to reduce the list size to a 
constant. 

1.3 Organization 

We begin by isolating the special notion of subspaces which our evasive sets should avoid intersecting 
too much (Section [2]). We describe our construction of folded Hermitian codes and a linear-algebraic 
list decoding algorithm for these codes in Section [3l In Section HI we define and construct the 
special "hierarchically" subspace-evasive (h.s.e) sets that we need. We show how to combine the 
h.s.e sets with folded Hermitian codes in Section 02 this gives a result similar to Theorem 11.11 with 
polylogarithmic alphabet and list size. We show how our ideas can be used to construct folded 
codes based on the Garcia-Stichtenoth tower, and how to combine them with h.s.e sets to get our 
main result (Theorem II. 1[) in Section [6l 

2 Periodic subspaces 

The list decoding algorithm for our algebraic codes will first pin down the candidate messages to 
a subspace. The structure of the subspace will be important to us in order to be able to efficiently 
prune it to a much smaller list. In this section, we make some important definitions capturing this 
property. Let us begin with some notation. 

Notation (Projection of vectors and sets). For a vector y = (yi,y2, ■ ■ ■ ,Vm) 6 ^"q 1 an< ^ positive 
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integers t\ ^ t 2 ^ m, we denote fry proj[ 4ljt2 ] (y) G F* 2 ite projection onto coordinates t\ through 
t 2 , i.e., proj [tl)t2] (y) = (y tl ,y tl +i, ■ ■ ■ ,y t2 )- Whent 1 = l, we use proj t (y) to denote proj [ljt] (y). 

For a subset SCFj and positive integers t\ ^ t 2 ^ k, we denote the projection of S onto the 
coordinates in the range [ti,t 2 ] &y proj [tl t2 ](5). Formally, proj [tljt2 ](S') = {proj^ lt2] (y) | y G S}. 
Again, we use proj t (5) to denote proj[ l t ](5). 

The specific definition of periodic subspaces below (which might appear rather technical) is 
motivated by the structure of the subspaces arising in our list decoding application (for example, 
as guaranteed by Lemma l3.7p . The special structure of these subspaces is important to guarantee 
the existence of "subspace evasive sets" (defined later) that are good enough for our purposes. 

Definition 1. (s, A)-periodic subspacesEI) For positive integers s,A,b, an affine subspace W of 
¥ q where k = bA is said to be (s, A)-periodic if there is a subspace U of¥ A of dimension less than s 
such that for ally G W and 1 ^ i ^ b, projr( i _ 1 )^ +lj ^i(y) belongs to the affine space U + hi, where 
hi is a column vector whose coordinates are affine combinations ( depending only on i) of the first 
(i — 1)A coordinates of y; formally, b,; = Cj • proj(j_ 1 \ A (y) + v, for some matrix Ci G F^ x ^ ^ A 
and Vi 6F ? A . We can represent such an affine subspace by U, {Ci, Vj}j_^. 

Note that if W is an (s, A)-periodic subspace of ¥ b q A , for every i, 1 ^ i ^ b, and every a G Wq 1 ' )A , 
the affine space {pi , oj[( i _ 1 ) A+l iA ](w) | w G W and pi , oj( i _ 1 ) A (w) = a} has dimension at most s 
(and in particular it has at most q s elements). Therefore, by an inductive argument, we have 
|projj A (VF)| ^ q ls for 1 ^ i ^ b, which together with the fact that proj iA (Ty) is an affine subspace 
implies the following. 

Observation 2.1. If W is an (s, A)-periodic subspace of¥ q A , then for i = 1,2, ... ,b, p~roji^(W) 
is also (s, A) -periodic and has dimension at most s ■ i as an affine subspace of¥ q A . 

3 Folded codes from the Hermitian tower 

In this section, we will describe a family of folded codes based on the Hermitian function field (or 
rather a tower of such fields). 

3.1 Background on Hermitian tower 

In what follows, let r be a prime power and let q = r 2 . We denote by ¥ q the finite field with q 
elements. The Hermitian function tower that we are going to use for our code construction was 
discussed in |She93j . The reader may refer to [She93| for the detailed background on the Hermitian 
function tower, and Stichtenoth's book |Sti93j for general background on algebraic function fields 
and their use in constructing algebraic-geometric codes. The Hermitian tower is defined by the 
following recursive equations 

+ ^i+i = x l + ^ j i = 1, 2, . . . , e — 1. 

2 According to the definition, an (s, A)-periodic subspace is in fact an affine space. For convenience, we blur this 
distinction, which is not too important for us, and use the terminology periodic subspace to refer to them. 
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Put F e = ¥ q (xi,X2, • • • , x e ) for e ^ 2. We will assume that r ^ 2e. 

Rational places. The function field F e has r e+1 + 1 rational places. One of these is the "point at 
infinity" which is the unique pole Poo of x\ (and is fully ramified). The other r e+1 come from the 
rational places lying over the unique zero P a of x\ — a for each a G ¥ q . Note that for every a €¥ q , 
P a splits completely in F e , i.e., there are r e_1 rational places lying over P a . Intuitively, one can 
think of the rational places of F e (besides Poo) as being given by e-tuples («i, «2, • • • > «e) £ F^ that 
satisfy cx r i+1 + cti+i = a[ +1 for i = 1, 2, . . . , e — 1. For each value of a G F ? , there are precisely r 
solutions to /? G Fq satisfying /3 r + /3 = a r+1 , so the number of such e-tuples is r e+1 (q = r 2 choices 
for a±, and then r choices for each successive ctj, 2 ^ i ^ e). 

Riemann-Roch spaces. For a place P of P e , we denote by up the discrete valuation of P: for a 
function h G P e , if h has a zero at P, then vp{h) gives the number (multiplicity) of zeroes, if h has 
a pole at P, then —vp{h) gives the pole order of ft at P, and fp(h) = if h has neither a zero or 
a pole at P. 

For an integer I, we consider the Riemann-Roch space defined by 

C(lPoo) := {heF e \ {0} : v Poo (h) > -1} U {0}. 

Then the dimension OlPoo) is at least I — g e + 1 and furthermore, £(lPoo) = ^ — <?e + 1 if I ^ 2<7 e — 1. 
A basis over F 9 of C(lPoo) can be explicitly constructed as follows 



*> : (ji, ■ ■ ■ Je) G Z| , J>r e "*(r + l)*" 1 < l\ . (1) 



Ji 

l l -°e • VJi) • • • ) Jej ^ ^^0) 

i=l 



We stress that evaluating elements of C(lPoo) at the rational places of F e (other then Poo) is 
easy: we simply have to evaluate a linear combination of the monomials allowed in ([1]) at the tuples 
(ai, «2) ■ ■ ■ j « e ) G ¥q mentioned above. In other words, it is just evaluating an e-variate polynomial 
at a specific subset of r e+1 points of ¥ q , and can be accomplished in polynomial time. 



Genus. The genus g e of the function field F e is given by 



C 1 / — 1 \ f> £ / \ -i p 6 „■ 1 

1 er x - ^ /ev^ 1 




,9c 



where the last step used r 2e. 



i=i v 7 i=i 



A useful automorphism. Let 7 be a primitive element of ¥ q and consider the automorphism 
a G Aut(P e /F 9 ) defined by 

\ x% 1 — ^ -y( r+1 ) Xj for i = 1,2, ... ,e. 
The order of a is g — 1 and furthermore, we have the following facts: 

(i) Let Po be the unique common zero of x±, X2, ■ ■ ■ , x e (this corresponds to the e-tuple (0, 0, ... , 0)), 
and Pqo the unique pole of x±. The automorphism a keeps Po and Poo unchanged, i.e., Pq" = Po 

and Pqo' 7 = Poo; 



7 



(ii) Let P be the set of all the rational places which are neither P*, nor zeros of x\. Then |P| = (q— 
l)r e_1 . Moreover, a divides P into r e_1 orbits and each orbit has q— 1 places. For an integer m 



with 1 ^ m ^ q—1, we can label Nm distinct elements Pi, Pf , . . . , Pf 
in P, as long as N ^ r 



per" 



e-1 



9-1 



Definition 2 (Folded codes from the Hermitian tower). Assume that m,l,N are positive integers 



satisfying 1 ^ m ^ q — 1 and I jm ^ iV ^ r 



e-l 



3-1 



T/ie folded code from F e with parameters 



N,l,q,e,m, denoted by Fh\(N,l,q,e,m), encodes a message function f £ C(lPoo) as 



/ 


r /(a) " 




r /(ft) " 




/(iV) 


\ 










, . . . , 


/(^) 




V 


. f{P\ ml ) . 








. f(pf") . 


J 



N 



(3) 



Lemma 3.1. The above code FH(N,l,q,e,m) is an ¥ q -linear code over alphabet size q m , rate at 

-9e + ~ 

Nm 



least 1 ^r!^" 1 , and minimum distance at least N — -J- . 



Proof. It is clear that the map ([3]) is an F^-linear map. The dimension over ¥ q of the message space 
£{lPoa) is at least I — g e + 1 by the Riemann-Roch theorem, which gives the claimed lower bound 
on rate. For the distance property, observe that if the z-th column is zero, then / has m zeros. 
This implies that the encoding of a nonzero function / can have at most l/m zero columns since 

/ e £(ZPoo). □ 



3.2 Redefining the code in terms of local expansion at P 

For our decoding, we will actually recover the message / € C(lPoo) in terms of the coefficients of 
its power series expansion around Pq 

f = h + hx + f 2 x 2 + ■■■ 

where x := x\ is the local parameter at Pq (which means that x\ has exactly one zero at Pq, i.e., 
^Po( x i) = !)• I n feet, realizing that one must work in this power series representation is one of the 
key insights in this work. 

Let us first show that one can efficiently move back-and-forth between the representation of 
/ G £(/Poo) in terms of a basis for C(lPoo) and its power series representation (/o> /i> • • • ) around 
Pq. Since the mapping / i— > (/o, /i, • • • ) is F g -linear, it suffices to compute the local expansion at 
Pq of a basis for C(lPoo). 

Lemma 3.2. For any n, one can compute the first n terms of the local expansion of the basis 
elements ([T]) at Pq using poly (n) operations over¥ q . 

Proof. By the structure of the basis functions in ([TJ , it is sufficient to find an algorithm of efficiently 
finding local expansions of Xi at Pq for every i = 1,2,... ,e. We can inductively find the local 
expansions of Xi at Pq as follows. 

For i = 1, x\ is the local parameter x of Pq, so x is the local expansion of x\ at Pq. 



S 



Now assume that we know the local expansion of x\ = X^=i c i,3 x3 a ^ f° r some Cjj G F 9 . 
Then we have 



oo 

J 



/] c i+l,j X '' r + 5^ C *+l ,3 X ° — X i+l + — X l +1 — I < %j X ^ r I I C *'-? X 

j'=i i=i \i=i / \i=i 

By comparing the coefficients of rr J in the above identity, we can easily solve q+ij's from Cjj's. 
More specifically, the coefficient of x J at the left of the identity is 

Thus, all Cj+ij's can be easily solved recursively. □ 



To keep the list output by the algorithm at a controllable size, we will combine the code with 
certain special subspace evasive sets. For this purpose, we will actually need to index the messages 
of the code by the first k coefficients (/q, ft, ■ ■ ■ , fk-i) of the local expansion of the function / at Pq. 
This requires that for every (/q, fx, ... , ft-i) there is a / G C(lPoo) whose power series expansion 
has the f$ as the first k coefficients. This is easy to ensure by taking I = k + 2g e — 1 as we argue 
below. Note that to ensure that C(lPoo) has dimension k, it suffices to pick I = k + g e — 1 by the 
Riemann-Roch theorem. We pick I to be g e more than this bound. Since the genus will be much 
smaller than the code length, we can afford this small loss in parameters. 

Let us define the local expansion map evp : C((k + 2g e — l)Poo) - > that maps / to 
(/o, /i, . . • , fk-i) where f = fo + fix + f 2 x 2 H is the local expansion of / at P - 

Claim 3.3. evp is an ¥ q -linear surjective map. Further, we can compute evp using poly(k, g e ) 
operations over ¥ q given a representation of the input f G C((k + 2g e — l)Poo) in terms of the basis 
©• 

Proof. The F ? -linearity of evp is clear. The kernel of evp is C((k + 2g e — l)Poo — kPo) which has 
dimension exactly g e by the Riemann-Roch theorem. By the rank-nullity theorem, the image must 
have dimension k, and so the map is surjective. The claimed complexity of computation follows 
immediately from Lemma 13.21 □ 

For each (/o, /i, • • • , /fc-i) G F*, we can therefore pick a pre-image in C((k + 2g e — l)P co ). 
For convenience, we will denote an injective map making such a unique choice by Kp : F^ — >• 
C((k + 2g e — l)P 0O ). By picking the pre-images of a basis of F^ and extending it by linearity, we 
can assume Kp to be F^-linear, and thus specify it by a (k + g e ) x k matrix. We record this fact 
for easy reference below. 

Claim 3.4. The map Kp : F^ — > C((k + 2g e — 1)Pqo) is ¥ q -linear and injective. We can compute a 
representation of this linear transformation using poly(fc, g e ) operations over¥ q , and the map itself 
can be evaluated using poly(/s, g e ) operations over¥ q . 

We will now redefine a version of the folded Hermitian code that maps F^ to (¥ q n ) N by composing 
the folded encoding ([3]) from the original Definition [2] with np . 



9 



Definition 3 (Folded Hermitian code using local expansion). The folded Hermitian code FH(iV, k, q, e, 
maps f = (/o,/i,...,/fc-i)€F* to FH(N, k + 2g e - 1, q, e, m){n Po (f)) G (F™)^. 

The rate of the above code equals k/(Nm) and its distance is at least N — (k + 2g e — l)/m. 



3.3 List decoding folded codes from the Hermitian tower 

We now present a list decoding algorithm for the above codes. The algorithm follows the linear- 
algebraic list decoding algorithm for folded Reed-Solomon codes. Suppose a codeword ([3]) encoding 
/ G Im(Kp ) C C{{k + 2g e — l)Poo) is transmitted and received as 

/ 2/1,1 2/2,1 



UNA \ 



2/1,2 2/2,2 



(4) 



\ 2/l,m • • • UN,m J 

where some columns are erroneous. Let s ^ 1 be an integer parameter associated with the decoder. 

Lemma 3.5. Given a received word as in using poly(-/V) operations over ¥ q , we can find a 
nonzero linear polynomial in F e [Yi, Y 2 , . . . , Y s ] of the form 



Q(Y 1 ,Y 2 , ...,Y S )=A + A\Y\ + A 2 Y 2 + • • • + A S Y S 



satisfying 



(5) 
(6) 



Q(Vij,yi d+ i, • • • , Vij+s-i) = A (P[ ) + A S (P° )y iJ+1 + ... + A s (P[ )y iJ+s = 

for i = 1,2, ... ,N and j = 0, 1, . . . , m — s. The coefficients Ai of Q satisfy Ai £ C^DPqc) for 
i = 1,2, . . . , s and Aq £ C((D + k + 2g e — 1)Pqo) for a "degree" parameter D chosen as 



D 



N(m -s + l)-k + (s- l)g e + 1 
7+1 



(7) 



Proof. If we fix a basis of C^DPoq) (of the form ([T])) and extend it to a basis of C{(D+k+2g e — l)P oa ) , 
then the number of freedoms of Aq is at least D + k + g e and the number of freedoms of A{ is at 
least D — g e + 1 for i ^ 1. Thus, the total number of freedoms in the polynomial Q equals 



s(D - g e + 1) + D + k + g e = (s + 1)(D + 1) - (s - l)g e — l + k> N(m - s + 1) 



(8) 



for the above choice ([7]) of D. The interpolation requirements on Q G i^fYi, . . . , y s ] are the 
following: 



Q( yi>j ,y i>j+1 , • • • , yij+ s -i) = A (Pf ) + A s {Pf )y lJ+1 + ■■■ + A s {Pf )y i>j+s 







(9) 



for i = 1,2, . . . , N and j = 0, 1, . . . , m — s. The interpolation requirements on Q give a total of 
N(m — s + 1) homogeneous linear equations that the coefficients of the A^s w.r.t the chosen basis 
of C((D + k + 2g e — l)Poo) must satisfy. Since the number of such coefficients (degrees of freedom 
in Q) exceeds N{m — s + 1), we can conclude that such a linear polynomial Q as required by the 
lemma must exist, and can be found by solving a homogeneous linear system over ¥ q with about 
N(m — s + 1) variables and constraints. □ 
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Similar to earlier interpolation based list decoding algorithms, the following lemma gives an alge- 
braic condition that the message functions / £ £({k-\-2g e — l)-Poo) we are interested in list decoding 
must satisfy. The proof is a standard argument comparing the pole order to the number of zeroes. 

Lemma 3.6. If f is a function in C{{k + 2g e — l)Poo) whose encoding (0) agrees with the received 
word y in at least t columns with t > ^-^jf^— - , then 

Qif, r~\. . . , r~ (a - 1} ) = a + A 1 f + A 2 r~ 1 + ...+ ^r" (s_1) = o. (10) 

Proof. The proof proceeds by comparing the number of zeros of the function Q(f,f a ) = 

A + A 1 f + A 2 r~ 1 + ■ ■ ■ + A s r' (a ' 1} with D + k + 2g e - 1. Note that Q(f, f°~\ . . . , r" <s_1) ) is 
a function in C((D + k + 2g e — l)P 0O ). If column i of the encoding Q of / agrees with y, then for 
all j = 0, 1, . . . , m — s, we have 

= A (Pr i ) + A 1 (Pf)y id+1 + A 2 (Pf)y iJ+2 + ... + A s (Pf)y itj+s 

= A (Pf) + A x (pf)f(pf) + A 2 {Pf )f(Pf +1 ) + ■■■ + )/(/-' ^ ) 

= mp?) +MPf)f{pf) +A 2 {pf)r-\pf) + ...+A s {pf)r- (s ~ 1 \pf) 
= (,4 + A 1 / + A 2 r" 1 + --- + ^r" (s - 1) )(^) . 

Note that here we use the fact that f a (P a ) = f{P) a = f(P), or equivalently f(P a ) = / CT_1 (P). 
In other words, Q(f,f a 1 ,...,/ CT ^ 1) ) has (m — s + 1) distinct zeros from this agreeing col- 
umn. Thus, there are a total of at least t(m — s + 1) zeros for all the agreeing columns. Hence, 
Q(f, f a 1 , . . . , f a <a 1] ) must be the zero function when t(m — s — 1) > D + k + 2g e — 1. □ 

Solving the functional equation for f . Our goal next is to recover the list of solutions / to the 
functional equation (|10|) . Recall that our message functions lie in Im(«;p ), so we can recover / by 
recovering the top k coefficients (/o, fi, . . . , fk-i) of its local expansion / = h %3 a * ^o- We 

now prove that (/o, /i, . . . , fk-i) for / satisfying Equation (fTU|) belong to a "periodic" subspace (in 
the sense of Definition [1]) of not too large dimension. 

Lemma 3.7. The set of solutions (fo, /i, . . . , fk-i) G such that f = fo + fix + i^ 2 + • • • G 
C((k + 2g e — l)Poo) obeys equation 

A + Atf + A 2 f~" + ■■■+ Asf-^ = , (11) 

when the Ai 's obey the pole order restrictions of Lemma \3.5\ and at least one A{ is nonzero, is an 
afftne subspace W of dimension at most (s — 1) . 

Further, there are at most q Nm + s + l possible choices of the subspace W (as a function of the 
Ai 's), each of which is (s,q — 1) -periodic. Given the representation of each Ai w.r.t the basis ([1]), 
we can find a representation of W in terms of the periodic subspace U of dimension less than s, 
and the affine shifts in each window of q — 1 coordinates, in the sense of Definition^ 

Proof. Let u = min{^p (^4j) : i 
Ai has a local expansion at Pq: 



= 1, 2, . . . , s). Then it is clear that u ^ and vp (Aq) ^ u. Each 

oo 

^4_2 — X ^^^^ ^2 J ^ 
7=0 
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for i = 0, 1, . . . ,s — 1, which can be efficiently computed from the basis representation of the A^s. 
From the definition of it, one knows that the polynomial 



B (X) := oi, + a 2 , X + ■■■ + as^X 3 ' 1 

is nonzero. Assume that at Po, the function / has a local expansion Yl'jLo fj x ^ ■ Then f a ' has a 
local expansion at Po as follows 

oo 
3=0 

where £ = 1/7. The coefficient of x d+u in the local expansion of Q(f, f a 1 , . . . , f a (s X) ) 



is 



d-l 



= J B (e d )/d + ^6i/i + «o,d, (12) 

8=0 

where bi £ ¥ q is a linear combination of aij which does not involve fj. Hence, fd is uniquely 
determined by / , . . . , f d -i as long as B (£ d j + 0. Let S := {0 < d < g - 2 : £ (£ d ) = 0}. Then 
it is clear that \S\ ^ s — 1 since the order of £ is q — 1 and Bq(X) has degree at most s — 1. Thus, 
A) If) 7^ if and only if j mod (q — 1) ^ S; and in this case fj is a fixed affine linear combination 

of fi for < i < j. Note that Bq(X) has at most (s — 1) roots among {£* : i = 0, 1, . . . , k— 1}. 

It follows that the set of solutions (/o, /1, • • • , /fe-i) is an affine space WcFj, and the dimension 

of W is at most (s - 1) 

The fact that W is (s,q — l)-smooth follows from (|12p and noting that the coefficients b^-j 
for j ^ 1 in that equation are given by Bj{^ d ~^) where Bj(X) := a\j + aijX + • • • + a Si jX s ~ 1 . 
Therefore, once the values of /j, ^ i < (j — l)(q — 1) are fixed, the possible choices for the next 
block of (q — 1) coordinates, /(j-i)( 9 -i)> " ' ' 5 fj(q-i)-ii ne i n an affine shift of a fixed subspace of 
dimension at most (s — 1). Further, this shift is an easily computed affine linear combination of the 
/j's in the previous blocks. This implies the efficient computability of the claimed representation 
of W. 

Finally, by the choice of D in (|7j), the total number of possible (Aq, Ai, . . . , A s ) and hence the 
number of possible functional equations (llip . is at most q N ( m ~ s + 1 )+ s + l ^ gNm+s+i^ xherefore, the 
number of possible candidate subspaces W is also at most q Nm + s + 1 ^ □ 

Combining Lemmas 13.61 and 13. 71 we conclude, after some simple calculations, that one can find a 
representation of the (s, q — l)-periodic subspace containing all candidate messages (/o, fx, ... , fk-i) 
in polynomial time, when the fraction of errors r = 1 — t/N satisfies 

t < _s s k 3m ff e 

T ^s + 1 s + lN(m-s + l) m-s + lmN' ^ ' 



Pruning the subspace. Applying Lemma 13.71 directly we would get a list size bound of ~ 
q sk /i which would be super-polynomial in the code length unless k = O(q). Thus this idea does 
not directly allow us to get good list decodable codes while keeping the base field size small or 
achieve a list size that grows polynomially in s. Instead what we show is that by only encoding 
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(/O) /i> • • • j fk-i) £ F^ that are restricted to belong to a special subspace- evasive set, we can (i) bring 
down the list size, and (ii) find this list efficiently in polynomial time (and further the exponent of 
the polynomial is independent of e, the gap to capacity). To this end, we develop the necessary 
machinery concerning subspace evasive sets next. Later, in Sectional we combine these subspace 
evasive sets with our folded Hermitian codes to get good list-decodable codes. 

4 Subspace evasive sets with additional structure 

Let us first recall the notion of "ordinary" subspace-evasive sets from [Gurllj . 

Definition 4. A subset S C F^ is said to be (d, €)-subspace-evasive if for all d- dimensional affine 
subspaces W o/F£, we have \S D W\ < I. 

We next define the notion of evasiveness w.r.t a collection of subspaces instead of all subspaces 
of a particular dimension. 

Definition 5. Let T be a family of (affine) subspaces ofW^, each of dimension at most d. A subset 

5 C F^ is said to be (J r ,d,£)-evasive if for all W G T , we have \S n W\ I. 

4.1 Hierarchical subspace-evasive sets 

The key to pruning the list to a small size is the notion of a hierarchical subspace-evasive set, 
which is defined as a subset of F|? with the property that some of its prefixes are subspace-evasive 
with respect to (s, A)-periodic subspaces. We will show how the special subspace-evasive sets help 
towards pruning the list in our list decoding context in Section 14.51 

Definition 6. Let T be a family of (s, A) -periodic subspaces of¥^. A subset S C Fj is said to be 
(J 7 , s, A, L)-h.s.e (for hierarchically subspace evasive for block size A) if for every affine subspace 
W £ J-, the following bound holds for j = 1, 2, . . . , b: 

|proj iA (S)nproj jA (WO| ^L . 

4.2 Random sets are hierarchically subspace evasive 

Our goal is to give a randomized construction of large h.s.e sets that works with high probability, 
with the further properties that one can index into elements of this set efficiently (necessary for 
efficient encoding), and one can check membership in the set efficiently (which is important for 
efficient decoding). 

An easy probabilistic argument, see |Gurll| . shows that a random subset of F^ of size about 
q( l ~C) k is ((i, O(d/0)-subspace evasive with high probability. As a warmup, let us work out the 
similar proof for the case when we have only to avoid a not too large family T of all possible 
(/-dimensional affine subspaces. The advantage is that the guarantee on the intersection size is now 
0(l/£) and independent of the dimension d of the subspaces one is trying to evade. 
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Lemma 4.1. Let £ £ (0, 1) and A; 6e a Zarge enough positive integer. Let J 7 be a family of affine 
subspaces of¥ k each of dimension at most d ^ (k/2, with |P| ^ q ck for some positive constant c. 

Let W be a random subset of¥ k chosen by including each i£Fj in W with probability q~^ k . 
Then with probability at least l — q~ ck , W satisfies both the following conditions: (i) |W| q( 1 ~ 2 O k ^ 
and (ii) W is (J 7 , d, Ac/C)-evasive. 

Proof. The first part follows by noting that the expected size of W equals q^~O k anc i a standard 
Chernoff bound calculation. For the second part, fix an affine subspace S C T of dimension at 
most d, and a subset T C 5 of size t, for some parameter t to be specified shortly. The probability 
that W3T equals q'^ . By a union bound over the at most q ck choices for the affine subspace 
S € J 7 , and the at most q dt choices of t-element subsets T of S, we get that the probability that W 
is not (J 7 , d, t)-evasive is at most q ck+dt ■ q~( kt ^ g ck q-< kt / 2 s i nce d ^ Qk/2. Choosing t = [4c/C], 
this quantity is bounded from above by q~ ck . □ 

4.3 Pseudorandom construction of large h.s.e subsets 

We next turn to the pseudorandom construction of large h.s.e subsets. Suppose, for some fixed 
subset T of (s, A)-periodic subspaces of ¥ k , we are interested in an (J 7 , s, A,£)-h.s.e subset of ¥ k 
of size ~ (jf( 1- f) fc f or a constant 1/A < £ < 1. For simplicity, let us assume that the block size 
A divides k, though arbitrary k can be easily handled. (We will also ignore floors and ceilings in 
the description to avoid notational clutter; those are easy to accommodate and do not affect any 
of the claims.) Define b = ^ to be the number of blocks. The parameters b, A, k and field size q 
will be considered fixed for the rest of the discussion in this section. 

Our construction will use some arbitrary fixed subsets Ai, A2, . . . , A& where A, C F^a with 
l-A-tl = q^~^ A - The only requirement from the subsets Aj is that membership in them can be 
checked using at most poly (i A) operations over ¥ q . 

The random part of the construction will consist of two sets of mutually independent, random 
polynomials Pi, P2, . . . jP& and Q±, Q2, ■ ■ ■ , Qb where Pi,Qi G F^a [T] are random polynomials of 
degree A for 1 ^ i ^ b. □ The degree parameter will be chosen to be A = @(k). 

The key fact we will use about the random polynomials Pj's is the following, which follows by 
virtue of the A-wise independence of the values of a random degree A polynomial. 

Fact 4.2. For a fixed subset T C ¥ q iA with \T\ ^ A, the values {Pi(a)} a eT are independent random 
values in ¥ qi A . 

In what follows we assume that, for i = 1, 2, . . . , b, some fixed bases of the fields F^a have been 
chosen, giving us some canonical F^-linear injective maps pi : ¥ q A -»• F 9! a. 

Definition 7. Given the polynomials P l5 P2, . . . , P&, define the subset T(Pi, P2, . . . , P&) by 
{y = (vx,V2,---, Vb) e F^ I Vj E Wf, Pj(pj{yi ° y 2 ° • • • o Vj )) e Aj for j = 1,2, ... ,6} . 

3 We will assume that representations of the necessary extension fields F^ A are all available. For this purpose, we 
only need irreducible polynomials over F g of degree iA, which can be constructed by picking random polynomials 
and checking them for irreducibility. Our final construction is anyway randomized, so the randomized nature of this 
step does not affect the results. 
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Given the above definition, our final h.s.e set will be defined as follows (we suppress the depen- 
dence of H on Pi , Qi for convenience) : 

H = r(p 1 ,p 2 ,...,p b )nr(Q 1 ,Q 2 ,...,Q b ) . (14) 

The reason for defining the set as the intersection of two T sets will become clear later on. We will 
later modify the construction slightly to ensure also the efficient encoding property that we seek 
(but it is cleaner to first present the construction without this extra concern). 

We first note that it is highly likely that the set H is large, and then establish the h.s.e property. 
Lemma 4.3. With probability at least 1 — q~ n ( k *> over the choice of {Pi,Qi}i^i^b, we have 

\H\ > q^ l - 3 ^ k . 

Proof. For each y £ Fj, define the indicator random variable I y for the event that y G T. We 
have E[J y ] = (q-^ A ) 2b = q- 2 ^ k . Therefore, E[\H\] = £ yeFfe E[/ y ] = qi^O*. For degree A ^ 2, 
the random variables I y 's are pairwise independent, so by Chebyshev's inequality, we have that 
|r| ^ q0-- 3 k w ith probability at least 1 - q~ Q ( k \ □ 

We now move on to the main claim about the h.s.e property of our construction^ 

Theorem 4.4. Let £ G (0,1) and s be a positive integer satisfying s < (A/10. Let J 7 be a 
subset of at most q ck (s, A) -periodic subspaces of ¥ k for some positive constant c. Suppose that 
the parameters satisfy the condition q^ A ^ (2qck) 10 ^ 9 . Then with probability 1 — exp(— £l(k)) over 
the choice of random polynomials {Pi,Qi}i^i<^b each of degree A > ck, the set H defined in (]14p is 
(J 7 , s, A, L)-h.s.e and (J 7 , sb, £)-evasive for L ^ ck and t ^ 20c/£. 

Proof. We will prove that w.h.p over the choice of Pi's, the subset F = f r(Pi, P 2 , ■ ■ ■ , Pb) is 
(J 7 , s, A, L)-h.s.e for L = ck, and this will imply the same for H as H C r(Pi, P 2 , ■ ■ ■ , Pb)- We will 
then prove that conditioned on T being (J 7 , s, A, L)-h.s.e, with high probability over the choice of 
the Qi's, H will intersect any subspace in T at less than 0(1/0 points. (Note that every subspace 
in T has dimension at most sb by Observation 12.11 ) Together, these steps will imply the claim of 
the theorem. 

For the first step, it suffices to show that w.h.p, the following holds: For every (s, A)-smooth 
subspace W <^¥ k that belongs to F, we have 

|Tjn Wi\ < L for i = 1,2, . . . ,b 

where Wi = proj iA (W) and Tj = proj iA (r). (Recalling the definition of T, this means that 

Ti = {z G Ff | Pi(f>i(*)) G Ai and proj iA (z) G Tj for 1 ^ j < i} .) 

We will establish this by induction. For the base case i = 1, this is just the standard argument 
using the A-wise independence of the set Tj. By the choice of the degree A we made, L < A. For 
each fixed set of L elements, the events that they all belong to T% are independent and each occurs 

4 We have not attempted to optimize the constants in the conditions stated in the theorem. 
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with probability equal to the density of Ai C ¥ q A which q C - A . Therefore, for a fixed subspace 
U C F A of dimension s, the probability that \U Pi Tx| ^ L is at most 

(£V CAL < g s V CAL < <T 9si , 

using s ^ (A/10. Since there are at most \J-\ candidates U which are of the form proj^(VF) for 
W G J 7 , by a union bound over such [/, we conclude that the probability that |Ti n W±\ ^ L for 
some W G J 7 is at most q ck q~ 9sL <^ q-^( k ) f or the choice L = c/e. 

Suppose now that i > 1 and we condition on the fact that for every W G J 7 , we have n 
Wj_i| ^ L. Let us first fix W G J 7 and upper bound the probability that |r, n Wi\ > L. Since 
n Wi— 1| L, the number of candidate elements in r, n Wi is at most L ■ q s , since there are 
at most L possibilities for the first (i — 1)A coordinates, and by the definition of (s, A)-smoothness 
(Definition [TJ , for each of these there are at most q s possibilities for the last A coordinates. The 
probability that some L of these candidates actually belong to Tj, and thus the probability that 
\Tir\Ui\ ^ L, is at most (Lq s ) L -q~^ L . Taking a union bound over all If 6 J, we have \TiD Wi\ ^ L 
for all W G J- except with probability at most 

q ck (L ■ g(-< A )) £ < q ck (L ■ q -°^ A ) L = (q . ck ■ q ~Wf k < 2~ ck 

where the last step used the hypothesis that g^ A ^ (2cqk) 10 ^ 9 , and the previous step used that 
L = ck. This finishes the proof that T is (J 7 , s, A, L)-h.s.e except with 2~^( fc ) probability. 

Suppose we now condition on the event that |T n W\ ^ L (which we showed happens with 
high probability) after the Pi's are picked. Let us now prove that w.h.p over the choice of the 
Qi's, H = T n r(Qi,Q2) ■ ■ ■ ,Qb) intersects every W G T at not more than I points. Note that 
H fl W C r n W, so only the (at most L) elements of T n W can belong to H n W. Fixing a 
W G J 7 , the probability that at least ^ elements of T n belong to is at most ( • q~^ ki since 
the probability that a fixed y 6 Fj belongs to T(Qi, . . . , Q&) equals ((/~^ A ) b = By a union 

bound over all W G J 7 , the conditional probability that |iJ fl W| > £ for some G J- is at most 

ckjj. -C,U ^ ck 0.9CAi -(k£ ^ ck -O.^U _ 
Choosing ^ = 20c/C, this probability is at most g _cfc . □ 



4.4 Efficient encoding of h.s.e. subsets 

The construction of the h.s.e set in (|14p allows for efficient membership checks in H — once 
the Pj's and Qi's are sampled, it follows from Definition [7] that one can check membership in 
r(Pi, P2, . . . , Pb) and T(Qi, Q2, ■ ■ ■ , Qb)- The construction does not, however, provide an efficient 
method to index into elements of H, which is necessary for efficient encoding of messages into 
elements of H. In this section we will show that w.h.p. H contains a certain subset that permits 
efficient encoding. 

(I 3f)}» 

We will describe this subset of H by giving an encoding map from strings in ¥ K q ' to the set. 
We will then prove that the map is well-defined. 
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Definition 8 (Encoding into the h.s.e set). Given the polynomials P\,P2, ■ ■ ■ ,Pb and Qi, . . . , Qb, 

and the subsets Aj C ¥ q iA, the encoding of x = (xi, X2, ■ ■ ■ , Xb) where Xi £ Fq 1 , proceeds as 
follows: 

For i = 1,2, ... ,b 

• Let fii £ F 3 ,^ be the lexicographically first string such that Pi(pi(xi o fii o ■ ■ ■ o X{ o /%)) £ Aj 
and Qi{pi{x\ o o • • • o £j o /%)) e Aj. //no swc/i /3j exists, fail. 

Output x\ o ^ o x 2 o /?2 o • • • o Xb o /3 6 £ W q as i/ie encoding of x. 

We wi/Z denote the above encoding map by HSE and re/er to A as its period size (we suppress 
the dependence of the map on the Pi 's and Qi 's for convenience). 

We now prove that the above map is well-defined, in the sense that the required /3j's will exist 
with high probability. Note that HSE, when it is well-defined, is an injective map. 

Lemma 4.5. Suppose the parameters satisfy 3gA and A ^ 6k. For every choice of the 

subsets Aj C F ? *a with |Aj| = q^~^ A , the following holds with probability at least 1 — over 
the choice of the random degree A polynomials {Pi : 1 ^ i ^ b} and {Qi : 1 ^ i ^ b}: For all 
x = (xi,X2, • • • , Xb) where Xj £ Fq 1 3 ^ A , the above procedure successfully encodes x. 
The encoding complexity is at most 0(a 3< ' A Xk 2 log 2 k) operations over¥ q . 

Proof. First, let us note that the encoding complexity is as claimed when the encoding succeeds. 
Given a £ ¥ q iA we can compute -Pj(a) and Qj(a) using at most 0(AZc log 2 k) reoperations. We can 
pick Aj so that membership of an element of F^iA in Aj can be checked using 0(k 2 ) operations. 
Therefore, for each i = 1,2, ... ,6, the search for /3j takes g 3< > A ■ 0(Xklog 2 k) operations over F„. 
This gives a bound of 0(q 3< > A Xk 2 log 2 k) operations over ¥ q for the total encoding complexity. 

Let us now prove that HSE(x) exists for all x with high probability, taken over the choice of 

(1— 2C)k 

the random polynomials Pi, Qi. Fix an x £ ¥q . For 1 ^ j ^ b, conditioned on the choice of 
Pi, fa, ■ ■ ■ , (3j-i, the probability that a fixed a £ F 3 ^ satisfies Pj(pj(xio(3io- ■ ■ Xj_io/3j„ioxjoa)) £ 
Aj and Qj(pj(xi o fti o ■ ■ ■ Xj-i o /3j-i o xj o a)) £ Aj is g _2 ^ A . Let Nj be the random variable equal 
to the number of elements a £ F 3 ^ A such that Pj(pj(xi o f}\o ••■ Xj-i o /3 J _ 1 o xj o a)) £ Aj and 

Qj(pj(xi o 0i o ■ ■ • Xj-i o fij-i o Xj o q)) £ Aj. The expected value of Nj equals p = f g^ A . Note that 
p ^ 3gA by the hypothesis in the lemma. 

By concentration inequalities for A-wise independent random variables, see for example |BR94l 
Lemma 2.3], the probability that Nj = is at most 



Summing up these conditional probabilities for j = 1,2, ... ,b, the probability that HSE(x) does 




not exist is at most b ■ q ^ q . Finally, a union bound over all x £ F q ~ 
probability that some x does not have a valid encoding HSE(x) is at most q~ 



(i-3C)fc 



shows that the 
□ 



— A' 
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Suppose the polynomials Pi, Qi, 1 ^ i ^ b, are such that HSE(x) is defined for all x G ¥ q . 
This implies that the set 9 = {HSE(x) | x G F^~ 3C)fc } has size gt 1 " 3 ^. Also note that 6 C H = 
r(Pi, P2, . . . , Pb) n r(Qi, . . . , Qb). Thus if i? is (J 7 , s, A, L)-h.s.e and (J 7 , sb, ^)-evasive then so is 0. 
Therefore the claim of Theorem 14,41 also holds for 0. Putting these together, we have the following 
main result on the pseudorandom construction of efficiently encodable h.s.e sets. The elements of 
this h.s.e set will give the subset of messages that we will encoded by the folded algebraic codes for 
our final list-decodable code construction. The proof is an immediate consequence of Theorem 14.41 
and Lemma 14.51 (note that the stated conditions (|15p on the parameters meet the requirements of 
both Theorem 14.41 and Lemma l4.5p . 

Theorem 4.6 (Main construction of h.s.e. subsets). Suppose b,c, A, k, s are positive integers and 
C G (0, 1) such that following requirements are met: 

k = bA; s< CA/10; q^ ^ {2cqk) w ' 9 . (15) 

Let J 7 be a family of (s, A) -periodic subspaces of ¥ k with \J 7 \ ^ q ck . Then, for a random and 
independent choice of polynomials Pi,Qi G F g ;A[T] of degree A = m&x{6k,ck + 1} and any subsets 
Ai of size q(* - £) A for i = 1,2, ■ ■ ■ ,b, the following conditions both hold with probability at least 
1 _ 2-n(*0 : 

1. HSE : F^~ 3C)fc -> F^ from Definition^ is a well-defined injective map, and can be computed 
using 0(q 3< '^ L k 3 log 2 k) operations over¥ q . 

2. The set H = T(Pi, . . . , Pb)r\T(Qi, . . . , Qb), and in particular the image of HSE, is a (J 7 , s, A, ck)- 
h.s.e and a (J 7 , sb ,20c/ '()- evasive subset of¥g. 



4.5 Efficient computation of intersection with h.s.e. subsets 

The key aspect which makes h.s.e subsets useful in our context to prune the affine space of candi- 
date messages, and indeed motivated the exact specifics of the definition and construction, is the 
following claim which shows that intersection of a (s, A)-periodic subspace with our h.s.e set can 
found efficiently. 

Lemma 4.7. Suppose polynomials Pi, Qi, i = 1, 2, . . . , b, of degree A = max{6/c, ck + 1} have been 
picked so that the map HSE satisfies the conditions of Theorem \4-6\ w.r.t some family T of at 
most q ck affine subspaces of ¥ k each of which is (s, A) -periodic. Then given a representation of 

W G J- (as in Definition^, we can find the list of at most 0(c/C) values o/x G F^ 1 such that 
HSE(x) G J- using O (c 2 (kq s + q 3 ^^)k 3 log 2 k) operations over ¥ q . 

Proof. The fact that there are at most £ solutions x follows immediately from the fact that the 
image of HSE is (T, sb, ^)-evasive. So we only need to argue about the time complexity. 

For 1 ^ i ^ b, define Hi = proj iA (if) where H = T(P\, . . . , Pb)nT(Q\, . . . , Qb). Likewise, define 
Wi = proj iA (W / ). To compute the intersection H(lW list efficiently, we iteratively find WidHi for 
i = 1, 2, . . . , b as follows. Recall that we know that \Hif] Wi\ ^ L for each % as H is (J-, s, A, L)-h.s.e. 
For each of the at most L = ck candidates in Wi-i n -ffj-i, as W is (s, A)-periodic, there are at 
most q s possible extensions to the next block of (g— 1) coordinates which we can find and list using 
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0(q s ■ kA) operations. (The kA term comes from computing the affine shift for the i'th block for 
that particular prefix of (i — 1)A symbols.) 

We then test each of L-q s candidates for membership in Tj which can be done using 0{ck 2 log 2 k) 
F g -operations time by evaluating the degree A polynomial and checking that the resulting value 
belongs to Aj. By the (F, s, A, L)-h.s.e property of H there are at most L of these candidates 
that can belong to Hi, thus bringing our list size back to L. The runtime for each iterative step is 
0(Lq s kA + Lq s ck 2 log 2 k) = 0(cLq s k 2 log 2 k) reoperations, leading to an overall runtime for all 
b < k stages of 0(cLq s k s log 2 k) operations over Y q to recover the intersection H n W. Finally for 
each y G H n W, we can check if it is the range of HSE by writing y = x\ o fa o • • • o Xb o fa and 
checking that HSE(xi o X2 o ■ ■ • o xj,) = y, which takes 0(q^^ck i log 2 k) operations over ¥ q . □ 



5 Combining folded Hermitian codes and h.s.e sets 

Instead of encoding arbitrary f G F^' by the folded Hermitian code (Definition [3]) , we can restrict the 
messages f to belong to the range of our h.s.e set, so that the affine space of solutions guaranteed 
by Lemma 13.71 can be efficiently pruned to a small list. The formal claim is below. 

Theorem 5.1. Let e ^ 2 be an integer, r ^ 2e be a large enough prime power, q = r 2 , and 
C £ (1/(7,1). Let k ^ qii/ 2 be a positive integer. Let s,m be positive integers satisfying 1 ^ s ^ 
m ^ q — 1 and s < Qq/12. Finally let N be an integer satisfying k + 2er e ^ Nm ^ {q — l)r e . 

Consider the code C\ with encoding E\ : Fq 1 3 ^ k — > (¥' q n ) N defined as 

^i(x) = FH(iV,fc,g,e,m)(HSE(x)) , 

for HSE : F^ 1 3 ^ fc — > ¥ q from Definition^ for a period size A = q — 1. 

Then, with high probability over the choice o/HSE ; this code has rate R = (l — 3C)k/(Nm), can 
be encoded in poly(A r mg^ <? ) time, and is (r,£)-list decodable in time poly(Nmq^ q ) for i ^ 0(1/(R()) 
and 

s ( k \ 3m er e 

s + l \ N(m — s + 1) J m — s + 1 mN 

Proof. This follows by just combining the ingredients we have developed so far. Since g e ^ er e 
by ([2]) , the condition on N, m meets the requirement for the construction of the folded Hermitian 
tower based code in Definition [2j 

Whp, the map HSE is well-defined and injective, and so E\ is an injective encoding. The rate 
of the code is therefore clearly as claimed. With A = q — 1, one can check that the conditions of 
Theorem 14.61 are met for our choice of s, q, k. By Theorem 14.61 . Part 1, HSE can be computed in 
time poly(A r mg^ <? ) and hence so can E\ (as FH is efficiently encodable as well). 

The claimed value of the error fraction r satisfies (|13|) since the genus is at most er e by ([5]). 
By Lemma 13.71 we know that the candidate messages found by the decoder lie in one of at most 
q2Nm poggibig ( S) q — l)-periodic subspaces. Appealing to Theorem 14.61 and Lemma 14.71 with the 
choice c = 2Nm/k = 0(1/R), we conclude that there is a decoding algorithm running in time 
poly(Nmq^ q ) to list decode C\ from a fraction r of errors, outputting at most 0(1/ (RQ) messages 
in the worst-case. □ 
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Let e > be a small positive constant, and a family of codes of length N (assumed large enough) 
and rate R E (0, 1) is sought. Pick n to be a growing parameter. 

By picking s = 0(l/e), m = G(l/e 2 ), r = LlognJ, e = f iogfogj ' C = Ognloglogn)- 1 , 
AT = |_- — — — J, and k proportional to Nm in Theorem 15 .1\ we can conclude the following. 

Corollary 5.2. For any R E (0, 1) and positive constant e E (0, 1), there is a Monte Carlo 
construction of a family of codes of rate at least R over an alphabet size 

(logiV) ^ 2 ) that are 

encodable and (1 — R — s, 0{R~ l log AToglog N))-list decodable in poly(iV, 1/e) time, where N is 
the block length of the code. 

Our promised main result (Theorem II. ip achieves better parameters than the above — an 
alphabet size of exp(0(l/e 2 )) and list-size of 0(l/(Re)). This is based on the Garcia-Stichtenoth 
tower and is described next. 

6 Folded codes from the Garcia-Stichtenoth tower 

Compared with the Hermitian tower of function fields, the Garcia-Stichtenoth tower of function 
fields yields folded codes with better parameters due to the fact that the Garcia-Stichtenoth tower 
is an optimal one in the sense that the ratio of number of rational places against genus achieves 
the maximal possible value. The construction of folded codes from the Garcia-Stichtenoth tower is 
almost identical to the one from the Hermitian tower except for one major difference: the redefined 
code from the Garcia-Stichtenoth tower is constructed in terms of the local expansion at point P^, 
while in the Hermitian case local expansion at Pq is considered. For convenience of the reader, we 
give a parallel description of folded codes from the Garcia-Stichtenoth tower, while only sketching 
the identical parts. 

6.1 Background on Garcia-Stichtenoth tower 

Again let r be a prime power and let q = r 2 . We denote by ¥ q the finite field with q elements. 
The Garcia-Stichtenoth towers that we are going to use for our code construction were discussed 
in (GS95, GS96]. The reader may refer to |GS95tlGS96] for the detailed background on the Garcia- 
Stichtenoth function tower. There are two optimal Garcia-Stichtenoth towers that are equivalent. 
For simplicity, we introduce the tower defined by the following recursive equations |GS96] 

x\\_i + X{-\-i = — 7p -, z = l,2,...,e — 1. 
x\ +1 

Put K e = Fq(xi, X2, • • • , x e ) for e ^ 2. 

Rational places. The function field K e has at least r e_1 (r 2 — r) + 1 rational places. One of these 
is the "point at infinity" which is the unique pole Poo of x\ (and is fully ramified). The other 
r e_1 (r 2 — r) come from the rational places lying over the unique zero of x\ — a for each a E F g with 
a r + a/0. Note that for every a E ¥ q with a r + a/0, the unique zero of x\ — a splits completely 
in K e , i.e., there are r e_1 rational places lying over the zero of x\ — a. Let P be the set of all the 
rational places lying over the zero of x\ — a for all a£F g with a r + a/0. Then, intuitively, one 
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can think of the r e 1 (r 2 — r) rational places in P as being given by e-tuples (a\, (X2, ■ ■ ■ , a e ) G R 
that satisfy + aj+i = r "| for i = 1, 2, . . . , e — 1 and a£ + aj 7^ 0. For each value of a G F 9 , 

there are precisely r solutions to /3 G F 9 satisfying j3 r + (3 = a r-i +1 , so the number of such e-tuples 
is r e_1 (r 2 — r) (r 2 — r choices for ai, and then r choices for each successive ai, 2 i ^ e). 



Riemann-Roch spaces. As shown in SAK + 01 , every function of K e with a pole only at has 
an expression of the form 



x? 



'(e-2)r+l r _i r _l j j 

1,1 



il=0 «2=0 i e =0 



where a ^ 0, c\ G F 9 , and for 1 ^ j < e, hj = x r ^ 1 + 1 and 7Tj = /11/12 • • • Moreover, Shum et al. 
[SAK+01] present an algorithm running in time polynomial in I that outputs a basis of over ¥ q of 
£(lPoo) explicitly in the above form. 

We stress that evaluating elements of C(lPoo) at the rational places of P is easy: we simply have 
to evaluate a linear combination of the monomials allowed in f)16|) at the tuples (a±, a?, • • • , ct e ) G F^ 
mentioned above. In other words, it is just evaluating an e-variate polynomial at a specific subset 
of r e_1 (r 2 — r) points of FJL and can be accomplished in polynomial time. 

Genus. The genus g e of the function field K e is given by 



9e 



[r e / 2 — l) 2 if e is even 

( r (e-l)/2 _ !)( r (e+l)/2 _ y if g ig odd 



Thus the genus g e is at most r e . (Compare this with the er e bound for the Hermitian tower; this 
smaller genus is what allows to pick e as large as we want in the Garcia-Stichtenoth tower, while 
keeping the field size q fixed.) 

A useful automorphism. Let 7 be a primitive element of F r and consider the automorphism 
a G Aut(K e /¥ q ) defined by 

a : Xi 1— > ry( r+1 } r Xi for i = 1,2, ... ,e. 
Then the order of g is r — 1 and furthermore, we have the following facts: 

(i) g keeps P^ unchanged, i.e., Poo CT = -Poo! 

(ii) Let P be the set of all the rational places lying over x± — a for all a G ¥ q with a r + a 7^ 0. 
Then |P| = (r — l)r e . Moreover, g divides P into r e orbits and each orbit has r — 1 places. 
For an integer m with 1 ^ m ^ 1 — 1, we can label Nm distinct elements 

p per per*™- 1 p per pcr m_1 

r l)M)-"i r l > • • • > r N , r N , ■ ■ ■ , r N 
in P, as long as N ^ r e ■ 

The folded codes from the Garcia-Stichtenoth tower are defined similarly to the Hermitian case. 
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Definition 9 (Folded codes from the Garcia-Stichtenoth tower). Assume that m,k,N are positive 
integers satisfying 1 ^ m ^ r — 1 and l/m < N ^ r e [_^^-J • The folded code from K e with 
parameters N ,l,q,e,m, denoted by FGS(N,l,q,e,m), encodes a message function f G C(lPoo) as 



/-> 





r f(Pi) ' 




/(ft) 




KPn) 














f(p%) 




V 






. f(Pf l ") _ 






) 



g(f™) 



N 



(17) 



Then we have a similar result on parameters of FGS(iV, I, q, e, m). 

Lemma 6.1. The above code FGS(N,l,q,e,m) is an ¥ q -linear code over alphabet size q m , rate at 
least , and minimum distance at least N — ~. 



6.2 Redefining the code in terms of local expansion at 

In the Hermitain case, we use coefficients of its power series expansion around Pq. However, for 
the Garcia-Stictenoth tower we do not have such a nice point Po. Fortunately, we can use point 
Poo to achieve our mission. 

Again for our decoding, we will actually recover the message / G C(lPoo) in terms of the 
coefficients of its power series expansion around Poo 

/ = P~'(/o + /iP + / 2 P 2 + ---) 
where T := — is the local parameter at Poo (which means that x e has exactly one pole at P^, i.e., 

VPoo( x e) = -!)• 

In this case we can also show that one can efficiently move back-and-forth between the represen- 
tation of / G C(lPoo) in terms of a basis for £(/Poo) and its power series representation (/o, ft, . . . ) 
around Pqo- Since the mapping / \-t (/o,/i,---) is Fq-linear, it suffices to compute the local 
expansion at Pqo of a basis for £(/Pqo). 

Lemma 6.2. For any n, one can compute the first n terms of the local expansion of the basis 
elements ([TBI) at Pqo using poly (re) operations over ¥ q . 

Proof. First let h be a nonzero function in ¥ q (x±,X2, ■ ■ ■ ,x e ) with vp^ih) = »£Z. Assume that 
the local expansion h = T v J^'jLo a fP^ * s known. To find the local expansion ^ = T~ v Yl'jLo '■ 
Consider the identity 

Then by comparing the coefficients of T l in the above identity, one has cq = a 1 and q = 
— <2q 1 (cj_iai + • • • + coaj) can be easily computed recursively for all i ^ 1. 

Thus, by the structure of the basis functions in (|16p . it is sufficient to find an algorithm of 
efficiently finding local expansions of Xi at Px, for every i = 1, 2, . . . , e. We can inductively find the 
local expansions of Xi at Px, as follows. We note that vp^ixi) = —r e ~ % for i = 1,2, ... ,e. 
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For i = e, x e has the local expansion j, at P^. 

Now assume that we know the local expansion of X{. Then we can easily compute the local 
expansion of x\ + Xi and hence the local expansion of l/(x\ Let us assume that l/(x\ + Xi) 

has local expansion l/(x r - + x^) = T r£ * +1 Yl'jLo ^ a ^ f° r some a i ^ ^g- Assume that 1/xi-i 
has the local expansion 1/xi-i = T r& 1+1 Y^jLofij^ ■ To find /3j, we consider the identity 

oo oo i/i\ r 'i 00 

rr e- i+ l ^-,+2 y. • = _1_ / _1_ \ = = y. & ■ 

By comparing the coefficients of T J + rC 1+1 in the above identity, we have that /3q = ao and (3j can 
be easily computed recursively by the following formula for all i ^ 1. 

ay if r /j 

"i-^/r-i ifr lj- 

Therefore, the local expansion of at Px, can be easily computed. □ 

As in the Hermitian case, we will actually need to index the messages of the code by the first 
k coefficients (fo, fi, ■ ■ ■ , fk-i) of the local expansion of the function / at Px,. 

Let us define the local expansion map evp^ : C((k + 2g e — l)Poo) — > ¥ q that maps / to 
(fo, fx, ■ ■ ■ , fk-i) where / = T -( k + 2 ^)(f + f x T + f 2 T 2 + ■ ■ ■ ) is the local expansion of / at P w . 

Claim 6.3. evp^ is an ¥ q -linear surjective map. Further, we can compute evp^ using poly(fc, g e ) 
operations over ¥ q given a representation of the input f E C((k + 2g e — l)Poo) in terms of the basis 

CED- 

The proof of this claim is similar to Claim Note that the kernel of evp^ is C((2g e — l)Poo) 
which has dimension exactly g e by the Riemann-Roch theorem. 

For each (/o, /1, . . . , fk-i) £ F^, we can therefore pick a pre-image in C((k + 2g e — l)P OQ ). 
For convenience, we will denote an injective map making such a unique choice by Kp^ : F^ — > 
C((k + 2g e — l)P 0O ). By picking the pre-images of a basis of ¥ q and extending it by linearity, we 
can assume Kp^ to be F^-linear, and thus specify it by a (k + g e ) x k matrix. We record this fact 
for easy reference below. 

Claim 6.4. The map Kp x : ¥ q — > C((k + 2g e — l)Poo) is ¥ q -linear and injective. We can compute a 
representation of this linear transformation using poly (k, g e ) operations over¥ q , and the map itself 
can be evaluated using poly(k,g e ) operations over¥ q . 

Now we redefine a version of the folded Garcia-Stichtenoth code that maps F^ to (¥ q n ) N by com- 
posing the folded encoding (|17p from the original Definition [9] with Kp^. 

Definition 10 (Folded Garcia-Stichtenoth code using local expansion). The folded Garcia-Stichtenoth 
code (FGS code for short) FGS(N, k, q, e, m) maps f = (/o, /1, . . . , fk-i) £ F^ to FGS(iV, k + 2g e — 

The rate of the above code equals k/(Nm) and its distance is at least N — (k + 2g e — l)/m. 
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6.3 List decoding FGS codes 

The list decoding part for the codes from the Garcia-Stichtenoth tower is almost identical to the 
Hermitian tower. We only sketch this part briefly. 

If / is a function in C((k + 2g e — l)Poo) whose encoding (fT7|) agrees with the received word y 
in at least t columns with t > P ~^"^ e 1 ~ 1 and 

_ N(m -s + l)-k + (s- l)g e + 1 
~ I s + 1 

then there exist A4 £ £(-DPoo) for i = 1, 2, . . . , s and Aq £ C((D + k + 2g e — l)Poo) such that they 
are not all zero and 

Qif, r _1 , . . . , r" (s_1) ) = a, + A x f + ^r -1 + • • • + Ar~ (s_1) = o. (is) 

Solving the functional equation for f . As in the Hermitian case, our goal next is to recover the 
list of solutions / to the functional equation (|18|) . Recall that our message functions lie in Imf/tp^), 
so we can recover / by recovering the top k coefficients (/o, fx, . . . , fk—i) of its local expansion. 

00 

j. = r _ (fe+2ge -i) j2 jpi (19) 
3=0 

at Pqo. We now prove that (/o, /1, • • • , /fc-i) for / satisfying Equation (fl~8j) belong to a "periodic" 
subspace (in the sense of Definition [T]) of not too large dimension. 

Lemma 6.5. The set of solutions (/o, fx, . . . , fk-i) £ such that 

00 

/ = r-( fe + 2 ^- 1 ) £ e + 2 5e - ijp^) 
3=0 

obeys equation 

A + Axf + A 2 r~ 1 +■■■+ ^r" (s_1) = (20) 

when at least one Ai is nonzero is an affine subspace W of dimension at most (s — 1) ^rj • 

Further, there are at most q Nm + s + 1 possible choices of the subspace W , each of which is (s, r— 1)- 
periodic. 

Given the representation of each Ai w.r.t the basis (|16f) . we can find a representation ofW in 
terms of the periodic subspace U of dimension less than s, and the affine shifts in each window of 
r — 1 coordinates, in the sense of Definition [7J 

Proof. Let u = minjz^p^ (Ai) : i = 1, 2, . . . , s}. Then it is clear that u ^ and i / p 00 (Aq) ^ 
u — (k + 2g e — 1). Each Ai has a local expansion at P*,: 

00 
3=0 
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for i = 1, . . . , s — 1 and Aq has a local expansion at P c 



oo ■ 

oo 



A = T u ~( k+2 ^-V ^ a 0d T j 

j=0 

Prom the definition of u, one knows that the polynomial 

B (X) := a lfi + a 2fi X + ■■■+ a sfi X s 

is nonzero. 



Assume that at P^, , the function / has a local expansion (1191) . Then f u has a local expansion 
at Poo as follows 

oo 

— £-{k+2g e -l)ij,-(k+2g e -l) >i j^j 

3=0 

where £ = 1/7. 

The coefficient of T^+u-^ge-i) in the local expansion of Q(f, f a ~\. . . , / CT ~ (s_1) ) is 

d-l 

= B{e- {k+29 *- i] )f d + e b ^ + °o.* ( 21 ) 

8=0 

where bi 6 F 9 is a linear combination of aij which does not involve fj. Hence, fd is uniquely 
determined by / , . . . , fd-i as long as _B(£<M fe +3 e_1 )) 7^ 0. 

Let S := {0 < d < r - 2 : J3(fH*+ffe-i)) = 0}. Then it is clear that |5| < s - 1 since the 
order of £ is r — 1 and Bq(X) has degree at most s — 1. Thus, j3(£ d_ ( fe + Se_1 )) ^ if and only if j 
mod (r — 1) £ 5; and in this case fj is a fixed affine linear combination of /j for ^ i < j. Note 

that Bo(^) fi &s a t most (s — 1) roots among : i = 0, 1, . . . , k — 1}. It follows that the 

set of solutions (/o, /1, • • • , /fc-i) is an affine space IV C Fj, and the dimension of W is at most 

(— 1) [Al- 

The fact that is (s, r — l)-smooth follows from (|2ip and noting that the coefficients bd~j for 

j ^ 1 in that equation are given by Bj(^ d ~^ k+29e ~^) wrie re -Bj(X) := ai i j + a 2 jXH Va s jX s ~ l . 

Therefore, once the values of fi, ^ i < (j — l)(r — 1) are fixed, the possible choices for the next 
block of (r — 1) coordinates, f(j_i\t r _i\, • • • , /,-( r _i)_i, lie in an affine shift of a fixed subspace of 
dimension at most (s — 1). Further, the affine shift is an affine linear combination of the /j's in the 
previous blocks. 

Finally, by the choice of D, the total number of possible (^4o ; Ai, . . . , A s ) and hence the number 
of possible functional equations (|20p . is at most q N ( m ~ s + l )+ s + 1 <^ qNm+s+i_ Therefore, the number 
of possible candidate subspaces W is also at most q Nm + s + 1 _ □ 



Similar to the bound (|13p for the Hermitian case, we conclude, after some simple calculations 
and using the upper bound on genus g e ^ r e , that one can find a representation of the (s,r — 1)- 
periodic subspace containing all candidate messages (/o, /1, • • • , fk-i) m polynomial time, when the 
fraction of errors r = 1 — t/N satisfies 

< S ( 1 ^ ^ ^ m r& (22) 

Tn s + 1 \ N{m-s + l)J m-s + lmN' ^ ' 
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6.4 Combining FGS codes and h.s.e sets 



Similarly to Section [SJ we now show how to pre-code the messages of the FGS code with a h.s.e 
subset. The approach is similar, though we need one idea to ensure that we can pick parameters 
so that the base field F^ can be constant-sized and obtain a final list-size bound that is a constant 
independent of the code length. This idea is to work with a larger "period size" A for the periodic 
subspaces, based on the following observation. 

Observation 6.6. Let W be an (s, A) -periodic subspace of F^ for k = bA. Then W is also 
(su, Au)-periodic for every integer u, 1 ^ u ^ b. 

As in the Hermitian case, instead of encoding arbitrary f E by the folded Garcia-Stichtenoth 
code (Definition [3]), we will restrict the messages f to belong to the range of our h.s.e set. This will 
ensure that the affine space of solutions guaranteed by Lemma 16.51 can be efficiently pruned to a 
small list. 

Theorem 6.7. Let r be a prime power, q = r 2 , and e ^ 2 be an integer, and £ £ (0,1). Let 
k g^ A / 2 be a positive integer. Let A k be a multiple of (r — 1), say A = u(r — 1) for a positive 



Let s,m be positive integers satisfying l^s^m^r — 1 and s < (r/Yl. Finally let N be an 
integer satisfying k + 2r e ^ Nm ^ (r — l)r e . 



Then, with high probability over the choice o/HSE with period size A, this code has rate R = (1 — 



Proof. This follows by just combining the ingredients we have developed so far. Since the genus 
g e is upper bounded r e , the condition on N, m meets the requirement for the construction of the 
folded codes based on Garcia-Stichtenoth tower in Definition [9) 

Whp, the map HSE is well-defined and injective, and so Ei is an injective encoding. The rate 
of the code is therefore clearly as claimed. By Theorem 14.61 . Part 1, HSE can be computed in time 
poly(iVra(^ A ) and hence so can E\ (as FGS is efficiently encodable as well). 

The claimed value of the error fraction r is just the bound (|22p. By Lemma 16.51 we know that 
the candidate messages found by the decoder lie in one of at most q 2Nm possible (s, r — l)-periodic 
subspaces. By Observation 16.61 each of these subspaces is also (su, A)-periodic. One can check 
that the conditions of Theorem 14.61 are met for our choice of £, q, A, k and taking su to play the 
role of s (since s < £r/12, we have su < (A/10). 

Appealing to Theorem 14.61 and Lemma 14. 71 with the choice c = 2Nm/k = 0(1/R), we conclude 
that there is a decoding algorithm running in time poly(A r mg^ A ) to list decode C2 from a fraction 
r of errors, outputting at most 0(l/(R()) messages in the worst-case. □ 



integer u. 




defined as 
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Finally, all that is left to be done is to pick parameters to show how the above can lead to 
optimal rate list-decodable codes over a constant-sized alphabet which further achieve very good 
lists-size. 

Let e > be a small positive constant, and a family of codes of length N (assumed large enough) 
and rate R G (0, 1) is sought. Pick n to be a growing parameter. 

Let us pick s = 9(l/e), m = 6(l/e 2 ), C = e/6, r = 8(l/e), g = r 2 , and e = fg|2], 

N = \_ ^~^ r J, and = RNm(l + e). This ensures that (i) there are at least n = Nm rational 
places and so we get a code of length at least n/m = N, (ii) the rate of the code C2 is at least R, 
and (iii) the error fraction fj23[) is at least 1 — R — e. 

The remaining part is to pick a multiple A of (r — 1) so that the k ^ <^ A//2 condition is met. 
This can be achieved by choosing u = \ ^jWhs 1 an d A = (r — l)u. With these choices, we can 
conclude the following, which is the main final result of this paper. 

Theorem 6.8 (Main; Corollary to Theorem 16.71 with above choice of parameters). For any R G 

(0, 1) and positive constant e S (0, 1), there is a Monte Carlo construction of a family of codes of rate 
at least R over an alphabet size exp(0(log(l/e)/e 2 )) that are encodable and (1—R—e, 0(1/ (Re)) -list 
decodable in poly(N) time, where N is the block length of the code. 

It may be instructive to recap why the Hermitian tower could not give a result like the above 
one. In the Hermitian case, the ratio g e /n of the genus to the number of rational places was about 
e/r = e/y/q, and thus we needed q > e 2 . Since the period A was about q, the running time 
of the decoder was bigger than q^i\ whereas the length of the code was at most qOiVq). This 
dictated the choice of q ~ log 2 n, and then to keep the running time polynomial, we had to take 
C ~ (lognloglogn) -1 . 
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